Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix Claude in Chrome (sidepanel): CSP blocks inline script, breaking MCP browser bridge

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

The Claude in Chrome extension (v1.0.72) has a Content Security Policy violation in sidepanel.html that blocks an inline <script> tag from executing. This prevents the side panel from initialising, which in turn means the MCP browser bridge never connects to Claude Code — all mcp__claude-in-chrome__* tool calls return "Browser extension is not connected."

Error Message

Executing inline script violates the following Content Security Policy directive: 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

Context: sidepanel.html?tabId=193338767 Stack trace: sidepanel.html:8 (anonymous function)

<script> // Set initial theme mode based on system preference (function () { const isDark = window.matchMedia( "(prefers-prefers-color-scheme: dark)", ).matches;

Root Cause

  1. The native messaging host (claude --chrome-native-host) IS launched correctly by Chrome and creates a bridge socket at /tmp/claude-mcp-browser-bridge-jankrag/<pid>.sock
  2. chrome.runtime.sendNativeMessage('com.anthropic.claude_code_browser_extension', {type:'ping'}, ...) returns {type:'pong'} — so Chrome ↔ native host communication works
  3. However, the Claude Code process never connects to the bridge socket — only the native host has the socket open
  4. Root cause appears to be the CSP violation preventing the side panel JS from running, so the extension never completes its connection handshake with Claude Code

Fix Action

Workaround

None found. The CSP violation is in the extension bundle itself and cannot be worked around by the user.

Code Example

Executing inline script violates the following Content Security Policy directive:
'script-src 'self''. Either the 'unsafe-inline' keyword, a hash
('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...')
is required to enable inline execution. The action has been blocked.

Context: sidepanel.html?tabId=193338767
Stack trace: sidepanel.html:8 (anonymous function)

<script>
  // Set initial theme mode based on system preference
  (function () {
    const isDark = window.matchMedia(
      "(prefers-prefers-color-scheme: dark)",
    ).matches;
RAW_BUFFERClick to expand / collapse

Summary

The Claude in Chrome extension (v1.0.72) has a Content Security Policy violation in sidepanel.html that blocks an inline <script> tag from executing. This prevents the side panel from initialising, which in turn means the MCP browser bridge never connects to Claude Code — all mcp__claude-in-chrome__* tool calls return "Browser extension is not connected."

Environment

  • Claude Code: 2.1.142
  • Claude in Chrome extension: 1.0.72
  • Chrome: latest
  • OS: macOS 15.5 (Darwin 25.5.0)

Error shown in chrome://extensions → Claude → Errors

Executing inline script violates the following Content Security Policy directive:
'script-src 'self''. Either the 'unsafe-inline' keyword, a hash
('sha256-kFwyFWA0myfqRcE5y2d5UX8g0o2QFHSmCz1gWSW0xpk='), or a nonce ('nonce-...')
is required to enable inline execution. The action has been blocked.

Context: sidepanel.html?tabId=193338767
Stack trace: sidepanel.html:8 (anonymous function)

<script>
  // Set initial theme mode based on system preference
  (function () {
    const isDark = window.matchMedia(
      "(prefers-prefers-color-scheme: dark)",
    ).matches;

Additional blocked resources:

  • wasm-unsafe-eval also blocked for the same inline script
  • https://cdn.segment.com/next-integrations/actions/amplitude-plugins/...js blocked by script-src 'self'
  • Datadog Browser SDK loaded more than once warning

Diagnosis

Investigating the connection failure via process inspection revealed:

  1. The native messaging host (claude --chrome-native-host) IS launched correctly by Chrome and creates a bridge socket at /tmp/claude-mcp-browser-bridge-jankrag/<pid>.sock
  2. chrome.runtime.sendNativeMessage('com.anthropic.claude_code_browser_extension', {type:'ping'}, ...) returns {type:'pong'} — so Chrome ↔ native host communication works
  3. However, the Claude Code process never connects to the bridge socket — only the native host has the socket open
  4. Root cause appears to be the CSP violation preventing the side panel JS from running, so the extension never completes its connection handshake with Claude Code

Expected behaviour

Claude in Chrome connects to Claude Code and mcp__claude-in-chrome__tabs_context_mcp returns tab information.

Actual behaviour

All mcp__claude-in-chrome__* calls return "Browser extension is not connected." The side panel shows a CSP error and the connection handshake never completes.

Workaround

None found. The CSP violation is in the extension bundle itself and cannot be worked around by the user.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix Claude in Chrome (sidepanel): CSP blocks inline script, breaking MCP browser bridge